Acta Informatica (2020) 57:671–687https://doi.org/10.1007/s00236-020-00376-5

ORIG INAL ART ICLE

Characteristic invariants in Hennessy–Milner logic

Marc Jasper1 ·Maximilian Schlüter1 · Bernhard Steffen1

Received: 15 July 2019 / Accepted: 21 February 2020 / Published online: 6 May 2020© The Author(s) 2020

AbstractIn this paper, we prove that Hennessy–Milner Logic (HML), despite its structural limitations,is sufficiently expressive to specify an initial property ϕ0 and a characteristic invariant χI

for an arbitrary finite-state process P such that ϕ0 ∧ AG(χI ) is a characteristic formula forP . This means that a process Q, even if infinite state, is bisimulation equivalent to P iffQ |� ϕ0 ∧ AG(χI ). It follows, in particular, that it is sufficient to check an HML formulafor each state of a finite-state process to verify that it is bisimulation equivalent to P . Inaddition, more complex systems such as context-free processes can be checked for bisimula-tion equivalence with P using corresponding model checking algorithms. Our characteristicinvariant is based on so called class-distinguishing formulas that identify bisimulation equiv-alence classes in P and which are expressed in HML. We extend Kanellakis and Smolka’spartition refinement algorithm for bisimulation checking in order to generate concise class-distinguishing formulas for finite-state processes.

1 Introduction

Branching time semantics [34,35] and, in particular, variants of bisimulation [32,33,35,37,38,40] together with their congruence properties [12,36,37] are topics that Rob vanGlabbeek hasat heart. This also comprises probabilistic behavior [8], a topic that we (Rob and Bernhard)cooperated on almost thirty years ago [39]. Hennessy–Milner logic (HML) [17] can beconsidered the most basic modal logic for capturing branching time semantics. It is thereforenot surprising that Rob investigated its congruence properties [10,11]. The famous theoremof Hennessy and Milner [17] establishes the link between (strong) bisimulation and HML:two finitely branching processes can be separated by means of an HML formula if andonly if they are not bisimulation equivalent. This is often stated as HML and bisimulationhaving the same distinguishing power. Characteristic formulas have a more ambitious rolethan separating two processes, they are meant to characterize entire bisimulation equivalence

B Marc Jaspermarc.jasper@cs.tu-dortmund.de

Maximilian Schlütermaximilian.schlueter@cs.tu-dortmund.de

Bernhard Steffensteffen@cs.tu-dortmund.de

1 TU Dortmund University, Dortmund, Germany

123

672 M. Jasper et al.

classes: χ is a (bisimulation) characteristic formula for a process P if satisfaction of χ

coincides with being bisimulation equivalent to P , i.e.:

∀Q. (Q |� χ ⇐⇒ Q ∼bisim P)

In [2], Browne et al. showed how characteristic formulas can be constructed for finite-stateprocesses in computational tree logic (CTL).1 Moreover, in [28], it was shown how suchformulas can be generated within the modal μ-calculus (and HML with recursion, respec-tively).

In this paper, we prove that HML is sufficient to define an initial property ϕ0 and a char-acteristic invariant χI such that χP =def ϕ0 ∧AG(χI ) is a characteristic formula for a givenfinite-state process P . This means, in particular, that it is sufficient to check an HML formulafor each reachable state of a finite-state process to verify that it is bisimulation equivalent to P .In fact, using e.g. the model checking algorithms presented in [5–7], context-free processes,pushdown-processes, and sequential processes can be checked for bisimulation equivalencewith P .

Key to the construction of χP is the separation of the specification of the one-step tran-sition potential of states of P from their (loose) characterization. This separation essentiallydecomposes the global bisimulation property into a number of local-step properties in a wayreminiscent of Floyd’s inductive assertion method [9]: the global property is guaranteed viathe consistency—here given by the local transition potential—of (loose) invariants. The latterare given by distinguishing formulas for the bisimulation equivalence classes of P .

Whereas the one-step transition potential can be specified in the way proposed in [2], theclass-distinguishing formulas that separate non-bisimilar states can be constructed along theclassical partition refinement process for minimization up to bisimulation [21]. Key is thatthe constructed set of distinguishing formulas Φ for P has the following two properties:

– Each state of P satisfies some distinguishing formula.– The partition of reachable states in P that is induced byΦ defines a bisimulation relation.

Throughout this paper, we only compare processes from a given universe that is specified byan alphabet Σ . This alphabet Σ comprises all considered process actions (transition labels).Based on Σ and the before-mentioned set of distinguishing formulas Φ, the desired HMLinvariant χI for specifying the one-step potential of P can be derived as in [2]:

χI =def

∧

ϕ∈Φ

⎛

⎜⎜⎜⎝ϕ �⇒

⎛

⎜⎜⎜⎝∧

pa→p′,ψ∈Φ

p|�ϕ, p′|�ψ

〈a〉 ψ ∧∧

a∈Σ

[a]

⎛

⎜⎜⎜⎝∨

pa→p′,ψ∈Φ

p|�ϕ, p′|�ψ

ψ

⎞

⎟⎟⎟⎠

⎞

⎟⎟⎟⎠

⎞

⎟⎟⎟⎠

The resulting characteristic formula ϕ0 ∧AG(χI ) conceptually decomposes the verificationprocess in a ‘Floyd-like’ manner using invariants and class-distinguishing formulas. In con-trast, the characteristic formulas presented in [28] can rather be considered to be amonolithic,syntactic encoding of P .

After sketching some preliminaries in Sect. 2, Sect. 3 introduces our characteristic HMLinvariants based on class-distinguishing formulas and proves a corresponding characteri-zation theorem. Subsequently, Sect. 4 presents the concept of a set of class-distinguishingformulas (SCDF) as a means to establish a sufficient condition for guaranteeing that ourcharacteristic formula construction results in a formula that is satisfied by the argument LTS.

1 Please note that it is not required that Q is finite state.

123

Characteristic invariants in Hennessy–Milner logic 673

The effective construction of SCDFs from LTSs is described in Sect. 5. The underlyingalgorithm is an adaption of Kanellakis and Smolka’s algorithm for checking bisimulationequivalence [21] to generate the required class-distinguishing formulas. Following a discus-sion of related work in Sect. 6, the paper closes with our conclusions and an outlook inSect. 7.

2 Preliminaries

In this section, we recall the basic concepts that our approach is based on. Central in thisregard are the definition of labeled transition systems and the usual corresponding notion ofa process.

Definition 1 (LTSandprocess)A labeled transition system (LTS) is a tripleL = (SL ,ΣL ,→L )

with set SL of states, alphabet ΣL ,2 and transition relation →L⊆ SL × ΣL × SL .

We use the notation pa→L q to denote that (p, a, q) ∈→L and omit the subscript L in

cases where the LTS is unambiguous. Furthermore, given a state s′ ∈ SL and a label a ∈ ΣL ,we define the following shorthand notation for the set of a-predecessors of state s′

a−1s′ =def {s ∈ SL | s a→ s′}This definition extends naturally to sets of states: for each S′ ⊆ SL , we have

a−1S′ =def

⋃

s′∈S′a−1s′

Every state s ∈ SL of an LTS L defines a process PL (s) that constraints initial transitionsto start in s. A state s′ ∈ SL is reachable in PL (s), denoted by s →∗

Ls′, iff there exists a

sequence of transitions siai→L si+1 in →L with i ∈ 0 .. (k − 1) for some k ∈ N such that

s0 = s and sk = s′. This notion naturally generalizes to a notion of reachability within anLTS L from any state s of L .

We are aiming at characterizing processes up to bisimulation, a semantic equivalence relationthat is known to preserve properties expressed in most temporal logics, in particular thosethat can be expressed in the modal μ-calculus [1].

Definition 2 (Bisimulation) Let L = (SL ,ΣL ,→L ) be an LTS. A symmetric relationR ⊆ (SL × SL ) is called a bisimulation if the following holds for all (p, q) ∈ R:

∀(pa→ p′) ∈→L . ∃(q

a→ q ′) ∈→L . (p′, q ′) ∈ R

Two states s, s′ ∈ S are called bisimilar in L , written as s ∼L s′, iff there exists a bisimulationR with (s, s′) ∈ R.3

Given a second LTS L ′ = (SL′ ,ΣL′ ,→L′ ), two processes PL (s) and P

L′ (s′) arecalled bisimilar, written as PL (s) ∼ P

L′ (s′), iff there exists a bisimulation inL ′′ = (SL

·∪ SL′ ,ΣL ∪ Σ

L′ ,→L·∪ →

L′ ) that contains (s, s′).4

2 Note that ΣL ⊆ Σ holds for any LTS L , because—as stated in the introduction—we only considerLTSs/processes from a given universe specified by Σ .3 Note that ∼, which is in fact the union of all bisimulation relations, is itself a bisimulation.4 The operator ·∪ stands for the disjoint union of two sets.

123

674 M. Jasper et al.

Our characteristic invariants are formulas specified in Hennessy–Milner logic (HML) [17]that extends propositional logic with a modal operator 〈·〉 (diamond):

Definition 3 (HML) Given an alphabet Σ , Hennessy–Milner logic (HML) is defined by thefollowing grammar in Backus–Naur form

ϕ ::= tt | ¬ϕ | (ϕ ∧ ϕ) | 〈α〉 ϕ

where α is a meta-variable for an arbitrary element of Σ . In addition, the following derivedoperators are frequently used:

ff =def ¬tt ϕ1 ∨ ϕ2 =def ¬(¬ϕ1 ∧ ¬ϕ2)

ϕ1 �⇒ ϕ2 =def ¬ϕ1 ∨ ϕ2 [α] ϕ =def ¬〈α〉 ¬ϕ

Definition 4 (Semantics of HML) The semantics of HML are defined relative to a given LTSL = (S,ΣL ,→) and formalized via the following satisfaction relation |�L ⊆ S × HML:

s |�L tts |�L ¬ϕ iff s �|�L ϕ

s |�L ϕ1 ∧ ϕ2 iff s |�L ϕ1 and s |�L ϕ2

s |�L 〈a〉 ϕ iff ∃s′ ∈ S. sa→ s′ and s′ |�L ϕ

where s ∈ S,a ∈ Σ andϕ, ϕ1, ϕ2 ∈ HML.Weomit the subscript L of |�L if it is unambiguousin a given context, and often abbreviate p |�L ϕ and q |�L ϕ by p, q |�L ϕ. In cases werewe want to emphasize the process perspective, we write PL (s) |� ϕ instead of s |�L ϕ.

In the following, we will establish that HML is sufficient to define the invariants required forour characteristic formulas.

3 Generalized characteristic HML invariant

Our definition of a generalized characteristic HML invariant follows the “diamond-box-pattern” originally introduced in [13,15]:

Definition 5 (Generalized characteristic HML invariant) Let Σ be a global alphabet thatcontains all considered action labels. With a pair (Φ,Ψ ) such that Φ is a finite set of HMLformulas and Ψ : Φ × Σ → 2Φ a function we associate an HML formula χI (Φ,Ψ ) calledgeneralized characteristic invariant (GCI) as follows:

χI (Φ,Ψ ) =def

∧

ϕ∈Φ

⎛

⎜⎜⎝ϕ �⇒

⎛

⎜⎜⎝∧

a∈Σ,ψ∈Ψ (ϕ,a)

〈a〉 ψ ∧∧

a∈Σ

[a]⎛

⎝∨

ψ∈Ψ (ϕ,a)

ψ

⎞

⎠

⎞

⎟⎟⎠

⎞

⎟⎟⎠

Given an LTS L = (S,ΣL ,→), we write L |� AG(ϕ) iff s |�L ϕ holds for all s ∈ S andsay that χI (Φ,Ψ ) is a GCI for L iff L |� AG(χI (Φ,Ψ )). We sometimes write χI insteadof χI (Φ,Ψ ) iff the arguments are unambiguous in a given context.

In order to capture our notion of a GCI, we extend HML as follows.

Definition 6 (Syntax of HMLAG) Given an alphabet Σ , Hennessy–Milner logic with AG(HMLAG) is defined by the following grammar in Backus–Naur form

ϕ ::= tt | ¬ϕ | (ϕ ∧ ϕ) | 〈α〉 ϕ | AG(ϕ)

123

Characteristic invariants in Hennessy–Milner logic 675

where α is a meta-variable for an arbitrary element of Σ . The derived operators of HML arealso used for HMLAG .

HMLAG is equivalent to a logic called EF or UB− in the literature [25] and is itself a fragmentof CTL. In this paper, we are only interested in two patterns of HMLAG formulas, namelyAG(χI ) and ϕ0 ∧AG(χI ) where ϕ0,χI ∈ HML. Definition 6 therefore specifies AG insteadof an EF operator.

Definition 7 (Semantics of HMLAG) The semantics of HMLAG are defined relative to agiven LTS L = (S,ΣL ,→). Given an LTS L , the satisfaction relation |�L ⊆ S × HMLAG

extends Definition 4 with the following clause:

s |�L AG(ϕ) iff ∀s′ ∈ S. s →∗Ls′ implies s′ |�L ϕ

where s ∈ S and ϕ ∈ HMLAG. Shorthand notations are defined as in Definition 4.

Note the overloading of AG. In fact, we have:

L |� AG(ϕ) iff ∀s ∈ S. s |�L AG(ϕ)

iff ∀s ∈ S. PL(s) |� AG(ϕ)

Please recall that we only consider LTSs and processes from a universe that is specifiedby an alphabet Σ , i.e. the set of possible actions. The following lemma illustrates the powerof the “diamond-box-pattern” [13,15] that underlies our definition of GCIs.

Lemma 1 Let χI (Φ,Ψ ) be a GCI and L = (S,ΣL ,→) an LTS such that L |� AG(χI ).Then

R = {(p, q) ∈ S × S | ∃ϕ ∈ Φ. p, q |�L ϕ}is a bisimulation.

Proof Let χI (Φ,Ψ ) be a GCI that is based on some finite set Φ of HML formulas and somefunction Ψ : Φ × Σ → 2Φ . Furthermore, let L be any LTS such that L |� AG(χI (Φ,Ψ )).As the empty relation is clearly a bisimulation, we can assume that R is not empty. Let usnow consider an arbitrary pair (p, q) ∈ R. Then there exists a formula ϕ ∈ Φ with p, q |� ϕ.Therefore, we know due to L |� AG(χI (Φ,Ψ )) that both p and q satisfy

∧

a∈Σ,ψ∈Ψ (ϕ,a)

〈a〉 ψ ∧∧

a∈Σ

[a]⎛

⎝∨

ψ∈Ψ (ϕ,a)

ψ

⎞

⎠ .

R is obviously symmetric. Therefore, it suffices to prove the defining invariance property of

bisimulation (Definition 2). Let pb→ p′ be an arbitrary transition starting in p. Looking at

the subformula

[b]⎛

⎝∨

ψ∈Ψ (ϕ,b)

ψ

⎞

⎠

that must be satisfied by p, we know that p′ |� ∨ψ∈Ψ (ϕ,b) ψ . Therefore, there exists a

ψ ′ ∈ Ψ (ϕ, b) that is satisfied by p′. The fact that q satisfies the subformula∧

a∈Σ,ψ∈Ψ (ϕ,a)

〈a〉 ψ

123

676 M. Jasper et al.

now yields that q satisfies 〈b〉 ψ ′, i.e., the existence of a transition qb→ q ′ such that q ′

satisfies ψ ′. Thus, both p′ and q ′ satisfy ψ ′ which guarantees (p′, q ′) ∈ R. ��

Of course, not every GCI fits each LTS L , e.g., the bisimulation guaranteed by the abovecharacterization lemma may well be empty. GCIs develop their full characterizing poweronly in combination with an initial condition:

Lemma 2 Let χI (Φ,Ψ ) be a GCI and ϕ0 ∈ Φ. Moreover, let L = (SL ,ΣL ,→L ),L ′ = (S

L′ ,ΣL′ ,→L′ ) be two LTSs with states s ∈ SL and s′ ∈ SL′ such that s |�L ϕ0

and s′ |�L′ ϕ0, respectively. Then we have:

1. L |� AG(χI ) and L ′ |� AG(χI ) implies PL (s) ∼ PL′ (s′).

2. If all states of SL are reachable from s in L and all states of SL′ are reachable from s′ in

L ′, then PL (s) ∼ PL′ (s′) implies L |� AG(χI ) and L ′ |� AG(χI ).

Proof Let χI be a GCI and L and L ′ two LTS with states s ∈ SL and s′ ∈ SL′ such that

s |�L ϕ0 and s′ |�L′ ϕ0, respectively.

In order to prove the first part of Lemma 2,we assume that L |� AG(χI ) and L′ |� AG(χI )

hold, and observe that

L ′′ = (SL·∪ S

L′ ,ΣL ∪ ΣL′ ,→L

·∪ →L′ )

is a well-defined LTS which also satisfies AG(χI ) and in which both s and s′ satisfy ϕ0, i.e.,

s, s′ |�L′′ ϕ0. Thus, Lemma 1 guarantees that

R = {(p, q) ∈ (SL·∪ S

L′ ) × (SL·∪ S

L′ ) | ∃ϕ ∈ Φ. p, q |�L′′ ϕ}

is a bisimulation. As s, s′ |�L′′ ϕ0 also implies (s, s′) ∈ R, we can conclude that PL (s) and

PL′ (s′) are bisimilar as desired.

Our semantics of AG for an entire LTS coincides with the (standard) semantics for pro-cesses in which all states are reachable. Thus, the proof of the second part is a consequenceof the well-known fact that bisimulation preserves e.g. all CTL and modal μ-calculusformulas. ��

The following theorem is a straightforward reformulation of Lemma 2 considering processesas models of the GCI instead of LTSs:

Theorem 1 (GCI-based characteristic formulas) Let χI be a GCI based on a finite set Φ ofHML formulas, ϕ0 ∈ Φ, and L = (SL ,ΣL ,→L ), L

′ = (SL′ ,ΣL′ ,→L′ ) be two LTSs with

states s ∈ SL and s′ ∈ SL′ . Then we have:

(PL (s) |� ϕ0 ∧ AG(χI ) and PL′ (s

′) |� ϕ0 ∧ AG(χI )) iff PL (s) ∼ PL′ (s

′)

Whereas the implication from left to right is just a reformulation of Lemma 2(1), the con-verse implication exploits the fact that satisfaction of invariance properties of processes onlyconcerns the reachable states.

The following section establishes a sufficient condition for sets of formulas Φ to serve as abasis for the definition of non-trivial GCIs for a finite-state LTS, i.e., GCIs that remain validwhen initial conditions ϕ ∈ Φ are added, resulting in characteristic formulas for processesas shown in Theorem 1.

123

Characteristic invariants in Hennessy–Milner logic 677

1

2

a

4a

3ab

5

b

b

a

Fig. 1 Nondeterministic LTS

4 Class-distinguishing formulas

Our notion of class-distinguishing formulas is directly based on the concept of bisimulation:

Definition 8 (Set of class-distinguishing formulas (SCDF)) Given any LTS L = (S,ΣL ,→),a finite set Φ ⊆ HML with ∀s ∈ S. ∃ϕ ∈ Φ. s |� ϕ is called set of class-distinguishingformulas (SCDF) for L iff

R = {(p, q) ∈ S × S | ∃ϕ ∈ Φ. p, q |� ϕ}is a bisimulation.

Example 1 (Set of class-distinguishing formulas (SCDF)) Consider the LTS L depicted inFig. 1. The history tree in Fig. 2 identifies the set Φ = {ϕ1, ϕ2, ϕ3} with

ϕ1 = 〈a〉 〈a〉 ttϕ2 = 〈a〉 tt ∧ [a] [a] ffϕ3 = [a] ff

as an SCDF for L . The subscript i in ϕi correlates with the corresponding state identifier sisuch that si |� ϕi . Note that state 2 is bisimilar to state 5 and that state 3 is bisimilar to state 4.

BeingHML formulas, the elements of an SCDFΦ for L can, in general, not fully characterizethe behavior of states in L . They are only sufficient to identify bisimulation equivalenceclasses in the context of L . In the following, we will see how the “diamond-box-pattern”turns this property into a property that universally characterizes processes up to bisimulation,even in the context of infinite-state systems.

Definition 9 (SCDF-based GCIs) Let L = (S,ΣL ,→) be an LTS, Φ an SCDF for L , andΨ : Φ × Σ → 2Φ defined by

Ψ (ϕ, a) = {ψ ∈ Φ | ∃p, q ∈ S. pa→ q ∧ p |� ϕ ∧ q |� ψ}.

Then χI (Φ,Ψ ) is called a GCI for L based on Φ.

A GCI χI based on an SCDF for L is sufficient to guarantee that L |� AG(χI ).

Lemma 3 Let L = (S,ΣL ,→) be any LTS, Φ an SCDF for L, and χI a GCI for L basedon Φ. Then we have L |� AG(χI ).

123

678 M. Jasper et al.

Proof Let L = (S,ΣL ,→) be an LTS, Φ an SCDF for L , and χI (Φ,Ψ ) a GCI for L basedon Φ. Then we have to prove that L satisfies the following formula:

AG

⎛

⎜⎜⎝∧

ϕ∈Φ

⎛

⎜⎜⎝ϕ �⇒

⎛

⎜⎜⎝∧

a∈Σ,ψ∈Ψ (ϕ,a)

〈a〉 ψ ∧∧

a∈Σ

[a]⎛

⎝∨

ψ∈Ψ (ϕ,a)

ψ

⎞

⎠

⎞

⎟⎟⎠

⎞

⎟⎟⎠

⎞

⎟⎟⎠

where

Ψ (ϕ, a) = {ψ ∈ Φ | ∃p, q ∈ S. pa→ q ∧ p |� ϕ ∧ q |� ψ}.

According to the semantics of L |� AG(ϕ) for some ϕ ∈ HML, it suffices to show thatevery state s ∈ S satisfies the conjunction χI (Φ,Ψ ) that serves as the argument of the AGoperator. Let s ∈ S and ϕ ∈ Φ be arbitrary but fixed elements. We can assume that s |� ϕ,because otherwise the implication is trivially satisfied. Thus, it remains to be shown that

s |�∧

a∈Σ,ψ∈Ψ (ϕ,a)

〈a〉 ψ ∧∧

a∈Σ

[a]⎛

⎝∨

ψ∈Ψ (ϕ,a)

ψ

⎞

⎠

holds. Therefore, let ϕc be any of the conjuncts in that HML formula. In order to show itsvalidity, we distinguish between two cases:

Case 1: ϕc = 〈a〉ψ for some a ∈ Σ with ψ ∈ Ψ (ϕ, a).Because of ψ ∈ Ψ (ϕ, a), there exist states p, q ∈ S and a transition p

a→ q withp |� ϕ and q |� ψ . Thus, we have p |� ϕc. In addition, s, p |� ϕ implies s ∼L paccording to the definition of an SCDF. As bisimilar states satisfy the same HMLformulas [17], this yields s |� ϕc, which closes the first case.

Case 2: ϕc = [a] δ with δ = ∨ψ∈Ψ (ϕ,a) ψ for some a ∈ Σ .

In this case, the following has to be shown:

∀s′ ∈ S. sa→ s′ implies s′ |� δ

Therefore, let s′ ∈ S be any state such that sa→ s′ and ψ ∈ Φ be a corresponding

formula with s′ |� ψ . Such a formula exists due to the definition of an SCDF.Now, s |� ϕ implies ψ ∈ Ψ (ϕ, a) by definition of Ψ which guarantees that ψ is adisjunct in δ and therefore that s′ |� δ as desired. ��

The following theorem follows straightforwardly fromLemma 3 and the definition of SCDFs.

Theorem 2 (Sufficiency for characterization) Let L = (S,ΣL ,→) be any LTS with s0 ∈ S,Φ an SCDF for L, and χI a GCI for L based on Φ. Then there exists a ϕ0 ∈ Φ such thats0 |� ϕ0 and we have:

PL(s0) |� ϕ0 ∧ AG(χI )

The presented construction of a GCI for an LTS L depends on a corresponding SCDF (Defi-nition 8). The next section introduces an approach that allows us to elegantly generate thesesets of class-distinguishing formulas for any finite-state LTS.

123

Characteristic invariants in Hennessy–Milner logic 679

5 Generation of characteristic invariants for finite-state LTSs

In this section, we present an algorithm that automatically generates a finite set of class-distinguishing formulas (SCDF) for any finite-state LTS L . Given this SCDF, a GCI for Lcan be generated according to Sect. 4.

After a brief sketch of partition refinement [16,19] and so called splitters, Sect. 5.2introduces the class-distinguishing functions that we use to generate an SCDF. Afterwards,Sect. 5.3 presents our algorithm together with an accompanying example.

5.1 Partition refinement

Partition refinement serves as the underlying concept of many analysis and verification tech-niques [31].

Definition 10 (Partition refinement) Given a set S, P ⊆ 2S is a partition of S iff its elements,called classes, are non-empty, pairwise disjoint, and cover S when merged (

⋃X∈P X = S).

Given two partitions P and Q of S, P refines Q, denoted by P � Q, iff for each X ∈ Pthere exists a Y ∈ Q such that X ⊆ Y . We write P ≺ Q iff P � Q and P �= Q.

Our algorithm that is presented in Sect. 5.3 relies on partition refinement: it extends the algo-rithm by Kanellakis and Smolka [21] for the minimization of non-deterministic systems upto bisimulation. Our extension computes HML formulas that allow to identify the individualclasses of the partitions that arise during the refinement algorithm.

Partition refinement within this algorithm is based on witnesses, called splitters, whichprove that one or more classes contain states that are not bisimilar.

Definition 11 (Splitter) Let L = (S,ΣL ,→) be an LTS and P a partition over S. LetB, Y ∈ P and a ∈ ΣL . Then the pair (B, a) is a splitter of Y iff Y ∩ a−1B �= ∅ andY\a−1B �= ∅ (see Definition 1). We denote this by (B, a) | Y . Furthermore, we define theabbreviations Ya

B =def Y ∩ a−1B and Y � aB =def Y\a−1B.

Note that (B, a)might be a splitter for multiple classes in P . A refinement based on (B, a)

splits all those classes:

Definition 12 (Splitter-based refinement) Let P be a partition and (B, a) a splitter of someclass Y ∈ P . Let P ′ = {Y ∈ P | (B, a) is a splitter of Y }. Then the partition

PaB =def (P\P ′) ∪ {Ya

B | Y ∈ P ′} ∪ {Y � aB | Y ∈ P ′}

is called the refinement of P based on (B, a).

Kanellakis and Smolka [21] proved that exhaustive splitting while starting with the trivialpartition inevitably results in the coarsest partition that defines a bisimulation. The nextsection shows how we obtain formulas that uniquely identify the classes of this partition bythe corresponding satisfaction relation, a property that makes the set of those formulas anSCDF.

5.2 Class-distinguishing functions

The SCDFs that we construct depend on the concrete chain of refinements produced by the(typically non-deterministic) partition refinement algorithm. Thus, let us consider an arbitrarybut fixed scenario in this subsection, i.e.:

123

680 M. Jasper et al.

Let L = (S,ΣL ,→) be a finite-state LTS, P0 = {S}, (B0, a0) , . . . , (Bm−1, am−1) asequence of m splitters, and P0 , . . . , Pm the corresponding sequence of m + 1 (refined)partitions such that for all k ∈ 0 .. m − 1, we have

1. (Bk, ak) is a splitter of some Y ∈ Pk ,2. Pk+1 is the refinement of Pk based on (Bk, ak), and3. Pm cannot be refined based on splitting.

This allows for the following inductive definition:

Definition 13 (Class-distinguishing functions) The sequence ϕ0 , . . . , ϕm withϕk : Pk → HML for all k ∈ 0 .. m inductively defined by ϕ0(S) = tt and

ϕk+1(X) =def

⎧⎪⎨

⎪⎩

ϕk(Y ) ∧ 〈ak〉 ϕk(Bk) if ∃Y ∈ Pk . (Bk, ak) | Y and X = YakBk

ϕk(Y ) ∧ ¬〈ak〉 ϕk(Bk) if ∃Y ∈ Pk . (Bk, ak) | Y and X = Y � akBk

ϕk(X) otherwise.

is called sequence of class-distinguishing functions.

Note that the three cases in the definition of ϕk+1(X) are disjoint and that Y is unique inthe first two cases. For this sequence of class-distinguishing functions, which is uniquelydetermined by the considered scenario, we have:

Theorem 3 (Class-distinguishing functions)

∀k ∈ 0 .. m. ∀X ∈ Pk . ∀s ∈ S. s ∈ X iff s |� ϕk(X)

Proof We prove the validity of the statement

A(k) =def ∀X ∈ Pk . ∀s ∈ S. s ∈ X iff s |� ϕk(X)

by induction over k ∈ 0 .. m.

Base case (k = 0): Initially, we have P0 = {S} and ϕ0(S) = tt and therefore ∀s ∈ S. s |� ttas required.

Induction hypothesis: Let A(k) hold for an arbitrary but fixed k ∈ 0 .. (m − 1).

Induction step (k → k+1): Let X ∈ Pk+1 and s ∈ S be both arbitrary but fixed. We proceedby proving the two required implications depending on the cases within Definition 13 for theconstruction of ϕk+1(X).

Case 1: ∃Y ∈ Pk . (Bk, ak) | Y and X = YakBk

(i) s ∈ X implies s |� ϕk+1(X):We assume that s ∈ X . Because of (Bk, ak) | Y , we know that X ⊂ Y and therefores ∈ Y . Due to the induction hypothesis, we have s |� ϕk(Y ). Based on s ∈ Yak

Bk, we

know that s has an ak-successor in Bk (Definition 11). Let s′ denote such a successor.By induction hypothesis, it follows that s′ |� ϕk(Bk). Due to s

ak→ s′ and HMLsemantics, we know that s |� 〈ak〉 ϕk(Bk). Thus, we have s |� ϕk(Y )∧〈ak〉ϕk(Bk) =ϕk+1(X).

(ii) s |� ϕk+1(X) implies s ∈ X :We assume s |� ϕk+1(X), which means that s |� ϕk(Y ) ∧ 〈ak〉ϕk(Bk). Because ofthe induction hypothesis and the first conjunct, we know that s ∈ Y . Using HMLsemantics and the induction hypothesis, the second conjunct implies that there exists

a transition sak→ s′ such that s′ ∈ Bk . Thus, we have s ∈ (Y ∩ ak−1Bk) = Yak

Bk= X .

123

Characteristic invariants in Hennessy–Milner logic 681

{1,2,3,4,5}

{1,2,5}<a>(tt)

{3,4}

!<a>(tt)

a

{1}<a>(tt & <a>(tt))

{2,5}

!<a>(tt & <a>(tt))

!a

a

!a{1,2,3,4,5}

{1,2,5}<a>(tt)

{3,4}

!<a>(tt)

a

{1}<a>(tt & <a>(tt))

{2,5}

!<a>(tt & <a>(tt))

!a

a

!a

Fig. 2 Partition refinement history and corresponding class-distinguishing predicates based on the input-LTSfrom Fig. 1 as generated by a tool that implements Algorithm 1. Dotted arrows denote splitters

Case 2: ∃Y ∈ Pk . (Bk, ak) | Y and X = Y � akBk

Analogous to case 1.Case 3: X is not split by (Bk, ak)

Then X ∈ Pk and ϕk+1(X) = ϕk(X) and therefore by induction as desired:

s ∈ X iff s |� ϕk(X) (= ϕk+1(X)) ��

In summary, the class-distinguishing functions are defined such that they reflect informationabout each splitter in HML. This information can be summarized on the basis of a decisiontree with node set

N =⋃

k∈0 .. m

Pk

and edges set

E =⋃

i∈0 .. m−1

{(C,C ′) ∈ Pi × Pi+1 | C ′ ⊂ C}

where for each k ∈ 0 .. m − 1, all the nodes C ∈ Pk that are split by (Bk, ak) are annotatedwith the predicate 〈ak〉 ϕk(Bk). If this predicate evaluates to true, then one continues withCakBk, otherwise with C � ak

Bk.

Figure 2 illustrates such a decision tree based on the LTS depicted in Fig. 1. As Fig. 2 isintended to also display the partition classes, the predicates were moved to the edges.

In the following, we present our algorithm that incorporates both the partition refinement andthe corresponding labeling based on class-distinguishing functions.

5.3 Algorithm for generating an SCDF

WeuseAlgorithm 1 to generate an SCDF (Definition 8). This algorithm is conceptually basedon the “naive method” from [21]. As such, the derived partition P is actually the coarsestpartitionw.r.t. bisimulation.Additionally, our iteratively defined class-distinguishing function(Definition 13) is incorporated.

123

682 M. Jasper et al.

Algorithm 1 Algorithm for generating an SCDFInput: A finite-state LTS L = (S, ΣL ,→)

Output: An SCDF of L1: function StateFormulas(S,ΣL , →)2: P ← {S}3: W ← P × ΣL4: ϕ[S] ← tt5: while W �= ∅ do6: (B, α) ← pop(W )

7: splitterFormula ← ϕ[B]8: for all Y ∈ P which are split by (B, α) do9: classFormula ← ϕ[Y ]10: replace Y in P by Yα

B and Y �αB

11: delete entry for Y in ϕ

12: ϕ[YαB ] ← classFormula ∧ 〈α〉 splitterFormula

13: ϕ[Y �αB ] ← classFormula ∧ ¬〈α〉 splitterFormula

14: W ← UpdateWorkset(W , Y , (B, α), ΣL )

15: return {ϕ[X ] | X ∈ P}

Algorithm 21: function UpdateWorkset(W , Y , (B, α), ΣL )2: for all β ∈ ΣL do3: if (Y , β) ∈ W then remove (Y , β) from W

4: add (YαB , β), (Y �α

B , β) to W

5: return W

Theworklist of Algorithm 1 contains potential splitters (Definition 11).Whenever the currentpartition P is refined and new classes are thereby added to it, these classes are combined withevery possible transition label and added to the worklist (Algorithm 2). Every time that sucha partition refinement occurs, the class-distinguishing function ϕ is updated according toDefinition 13 in order to incorporate information about the most recent splitter (lines 11–13of Algorithm 1).

Note that the order in which splitters are applied is not defined by Algorithm 1. In thefollowing, we assume a fixed order of splitters. As stated in Sect. 5.2 and visible in the pseudocode (lines 12 and 13 of Algorithm 1), the definition of the class-distinguishing functionthroughout the algorithm’s execution is based on that order of splitters. The sequence ofsplitters is exactly the sequence of those pairs received in line 6 of Algorithm 1 for whichthe inner for-all loop (line 8) executes at least one iteration.

Example 2 (Algorithm 1) Consider the LTS in Fig. 1 as input for Algorithm 1. Figure 2illustrates the two refinements during an execution of Algorithm 1 for this input LTS. Theactual class-distinguishing formulas generated by Algorithm 1 are as follows. In line withSect. 5.2, we use a subscript index to refer to different refinements (Definition 12).

The algorithm’s internal variables are initialized to P0 = {S = {1, 2, 3, 4, 5}} (line 2) andϕ0[S] = tt (line 4).

The first splitter is (S, a) (line 6). It splits the class S into the sets SaS = {1, 2, 5} andS � aS = {3, 4} (line 10). This split occurs because on the one hand, we have 1

a→ 2, 2a→ 3,

5a→ 3, and 2, 3, 5 ∈ S, and on the other hand, states 3 and 4 do not have outgoing transitions

123

Characteristic invariants in Hennessy–Milner logic 683

labeled a (cf. Fig. 1). The new partition is given by P1 = {{1, 2, 5}, {3, 4}} (line 10) and theformulas are ϕ1[{1, 2, 5}] = tt ∧ 〈a〉 tt (line 12) and ϕ1[{3, 4}] = tt ∧ ¬〈a〉 tt (line 13).

The second splitter is ({1, 2, 5}, a). Note that in the meantime, several other checks forpossible refinements may have been performed that failed. For simplicity, we will only listactual splitters (Definition 11). The splitter ({1, 2, 5}, a) separates the class {1, 2, 5} into

the sets {1} and {2, 5}. Again, this happens because on the one hand, we have 1a→ 2 with

2 ∈ {1, 2, 5}, and on the other hand, states from {2, 5} do not possess outgoing transitionslabeled a that end in {1, 2, 5}. The new and final partition is given by P = {{1}, {2, 5}, {3, 4}}and the formulas are:

ϕ2[{1}] = tt ∧ 〈a〉 tt ∧ 〈a〉 (tt ∧ [a] tt)ϕ2[{2, 5}] = tt ∧ 〈a〉 tt ∧ ¬〈a〉 (tt ∧ [a] tt)ϕ2[{3, 4}] = tt ∧ ¬〈a〉 tt

Note that states 2 and 5 as well as 3 and 4 are bisimilar, respectively. The algorithm terminates(after potentially executing a few more checks for splitters) because the splitter potential isexhausted.

Algorithm 1 resembles the “naive” algorithm by Kanellakis and Smolka [21] which is knownto run in cubic time and to terminate with the coarsest partition up to bisimulation. Thus, thefollowing theorem is a consequence of Theorem 3 which guarantees the correct labeling ofthe partition classes.

Theorem 4 (Correctness of Algorithm 1) Given an LTS L, Algorithm 1 terminates with anSCDF for L.

The following theorem summarizes the main result of this paper. Please recall that bydefinition of an SCDF, every state s ∈ S has a formula ϕ ∈ Φ with s |�L ϕ:

Theorem 5 (Main theorem) Let L be an LTS L = (S,ΣL ,→), Φ an SCDF for L generatedby Algorithm 1, χI the GCI for L based on Φ, and s ∈ S, ϕ ∈ Φ with s |�L ϕ. Then for anyPL′ (s′) based on some LTS L ′ = (S′,Σ ′

L′ ,→′) with s′ ∈ S′, we have:

PL′ (s

′) |� ϕ ∧ AG(χI ) iff PL (s) ∼ PL′ (s

′)

Proof Theorem 4 guarantees that Φ is an SCDF which, by Theorem 2, impliesPL (s) |� ϕ ∧ AG(χI ). Thus, applying Theorem 1 yields the desired statement. ��

6 Discussion of related work

The coincidence theorem of Hennessy andMilner states that, given a finitely-branching LTS,two states are bisimilar if and only if they enjoy the same set of HML formulas (first stated1980 in [17] and again in [18]). Thus, HML has distinguishing power: any two non-bisimilarfinitely-branching LTSs can be distinguished by a formula in HML.

The idea of characteristic formulas goes beyond distinguishability: It requires that, givena finitely-branching LTS, there exists a (single) formula that distinguishes this LTS fromany other non-bisimilar (finitely-branching) LTS. It is clear that this “swap of quantifiers”leads to a requirement that cannot be satisfied by HML as HML formulas are limited in theirsensitivity to finite prefixes of computation trees.

123

684 M. Jasper et al.

In 1984, Graf and Sifakis published a scheme by which characteristic formulas for finiteCCSprocesses5 canbederived [13,15]. Such a scheme is usually referred to as (characteristic)translation. The pattern introduced by Graf and Sifakis, which we refer to as “diamond-box-pattern”, is used in almost all following publications on characteristic formulas, includingthis paper (see Definition 5). Graf and Sifakis also extended the idea of Hennessy and Milnerin the sense that they interpret the coincidence theorem as a strict requirement for sensibletemporal logics [14]. Thereby such logics are “sufficiently powerful to distinguish non-congruent terms”. Indeed, as later shown in various publications, many famous temporallogics such as HML, CTL, and μ-calculus satisfy this claim.

Browne, Clarke, and Grumberg were the first to take the step from finite to finite-statesystems in 1987, again based on the “diamond-box-pattern” by Graf and Sifakis, but thistime generalized using implication in order to deal with cycles [2]. The key idea, whichis also used in this paper, consists of two steps. First, find a formula for each state thatdistinguishes it from every other state of the considered finite-state system. Second, showthat the generalized “diamond-box-pattern” for connecting these distinguishing formulas issufficient to define characteristic formulas for finite-state systems. In essence, they observedthat non-bisimilar states of finite-state systems can be distinguished by a finite prefix of thecorresponding computation tree6 which allowed them to infer their distinguishing formulassimply as characteristic formulas up to a certain depth of bisimilarity.

The paper [28] introduced a technique for deriving characteristic formulas in the modalμ-calculus for finite-state processes (with divergence potential [26,27]). Key idea was toassociate each state of the LTSwith a fixed point variable and to construct a modal equationalsystem on the basis of the “diamond-box-pattern” which can then be translated into themodalμ-calculus. As this translation leads to formulas of exponential size, [30] focused on modalequational systems as they provide characterizations that are linear in the size of a property,making bisimulation checking via model checking attractive.

Like [2], the approach presented in this paper is based on the combination of distinguishingformulas using the generalized “diamond-box-pattern”. The main difference is the construc-tion of the distinguishing SCDF based on Algorithm 1 which has a reduced form of linearsize in terms of a recursion-free equational system. Key to this construction is an extensionof Kanellakis and Smolka’s partition refinement algorithm for bisimulation checking [21] inorder to incrementally compute distinguishing formulas for the individual partition classes.By construction, this leads to distinguishing formulas with linearly many distinct subfor-mulas. Therefore, their corresponding representation in terms of a directed acyclic graphor, equivalently, as recursion-free equational system, is guaranteed to be linear in the num-ber of bisimulation equivalence classes. Thus, the characteristic formulas proposed in thispaper can be regarded as very concise versions and therefore practical optimizations of thecharacteristic formulas of [2].

7 Conclusion and outlook

We have shown that HML, despite its structural limitations, is sufficiently expressive tospecify an initial property ϕ0 and a characteristic invariant χI for an arbitrary finite-stateprocess P such that ϕ0 ∧AG(χI ) is a characteristic formula for P . This means, in particular,

5 Such CCS processes can be represented as a labeled tree with finite depth.6 This is an immediate consequence of the fact that bisimilarity coincides with the limit of n-bisimilarity forfinitely branching systems—a key property originally exploited in [17].

123

Characteristic invariants in Hennessy–Milner logic 685

that it is sufficient to check anHML formula for each state of a candidatefinite-state process toverify that it is bisimulation equivalent to P . In fact, our proofs do not require the candidateprocesses to be finite state. In particular, our theorem also holds for context-free [5] andpush-down candidate systems [6].

The first model checking algorithm for context-free systems has been presented in 1992in [5]. It was linear in the size of the context-free process representation and exponential inthe size of the, in this case alternation-free, modal μ-calculus formula, or better, in the sizeof a corresponding modal equational system. Extensions covered pushdown-processes [6]and later sequential processes for the full modalμ-calculus [7]. Combining these algorithms,whose implementation in the fixed point analysis machine has been presented in CONCUR1995 [29], with an algorithm that constructs characteristic formulas in terms of modal equa-tional systems (e.g. [30]) immediately implies:

Bisimulation checking of context-free processes with a finite-state process can be per-formed in exponential time via model checking of characteristic formulas.

Even though not explicitly formulated back then, there existed a corresponding imple-mentation already in 1995 [29]. Related results concerning equivalence checking involvinginfinite-state systems can be found in [3,4,20,22–24].

Currently, we are re-implementing the algorithms for characteristic formula constructionand context-free model checking, also with the goal to experimentally evaluate their practicalefficiency. Our model checking algorithm uses shared BDDs7 to efficiently represent theproperty transformers that are characteristic of our second-order treatment of context-freesystems. It is not clear how the choice of characteristic formula construction interferes withthe second-order fixed point computation, whether there are advantageous process patterns,or whether there are certain technological bottlenecks that can be overcome. An example forthe latter category is the treatment of the identity function, which is intuitively very simple,but whose representation in terms of shared BDDs is bound to explode.

Acknowledgements Open Access funding provided by Projekt DEAL.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, whichpermits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you giveappropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence,and indicate if changes were made. The images or other third party material in this article are included in thearticle’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material isnot included in the article’s Creative Commons licence and your intended use is not permitted by statutoryregulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

References

1. Bradfield, J.C., Stirling, C.: Modal mu-calculi. In: Blackburn, P., van Benthem, J.F.A.K., Wolter, F. (eds.)Handbook of Modal Logic, Studies in logic and practical reasoning, vol. 3, pp. 721–756. North-Holland(2007). https://doi.org/10.1016/s1570-2464(07)80015-2

2. Browne,M.C., Clarke, E.M., Grumberg, O.: Characterizing Kripke structures in temporal logic. In: Ehrig,H., Kowalski, R.A., Levi, G., Montanari, U. (eds.) TAPSOFT’87: Proceedings of the International JointConference on Theory and Practice of Software Development, Pisa, Italy, March 23–27, 1987, Volume1: Advanced Seminar on Foundations of Innovative Software Development I and Colloquium on Treesin Algebra and Programming (CAAP’87), Lecture Notes in Computer Science, vol. 249, pp. 256–270.Springer (1987). https://doi.org/10.1007/3-540-17660-8_60

7 A shared BDD is an aggregation of multiple BDDs into one BDD with multiple start nodes.

123

686 M. Jasper et al.

3. Burkart, O., Caucal, D., Moller, F., Steffen, B.: Verification on infinite structures. In: Bergstra, J., Ponse,A., Smolka, S. (eds.) Handbook of Process Algebra, pp. 545–623. Elsevier Science, Amsterdam (2001).https://doi.org/10.1016/B978-044482830-9/50027-8. http://www.sciencedirect.com/science/article/pii/B9780444828309500278

4. Burkart, O., Caucal, D., Steffen, B.: Bisimulation collapse and the process taxonomy. In: Montanari, U.,Sassone, V. (eds.) CONCUR ’96, Concurrency Theory, 7th International Conference, Pisa, Italy, August26–29, 1996, Proceedings, Lecture Notes in Computer Science, vol. 1119, pp. 247–262. Springer (1996).https://doi.org/10.1007/3-540-61604-7_59

5. Burkart, O., Steffen, B.: Model checking for context-free processes. In: Cleaveland, W. (ed.) CONCUR’92, pp. 123–137. Springer, Berlin Heidelberg, Berlin, Heidelberg (1992)

6. Burkart, O., Steffen, B.: Pushdown Processes: Parallel Composition and Model Checking, pp. 98–113.Springer Berlin Heidelberg, Berlin, Heidelberg (1994). https://doi.org/10.1007/BFb0015001

7. Burkart, O., Steffen, B.: Model checking the full modal mu-calculus for infinite sequential processes. In:Degano, P., Gorrieri, R., Marchetti-Spaccamela, A. (eds.) Automata, Languages and Programming, pp.419–429. Springer, Berlin Heidelberg, Berlin, Heidelberg (1997)

8. Fischer, N., van Glabbeek, R.: Axiomatising infinitary probabilistic weak bisimilarity of finite-statebehaviours. J. Logical Algebraic Methods Program. 102, 64–102 (2019). https://doi.org/10.1016/j.jlamp.2018.09.006. http://www.sciencedirect.com/science/article/pii/S2352220817302201

9. Floyd, R.W.: Assigning Meanings to Programs, pp. 65–81. Springer Netherlands, Dordrecht (1993).https://doi.org/10.1007/978-94-011-1793-7_4

10. Fokkink, W., van Glabbeek, R., de Wind, P.: Compositionality of Hennessy–Milner logic through struc-tural operational semantics. In: Lingas, A., Nilsson, B.J. (eds.) Fundamentals of Computation Theory, pp.412–422. Springer, Berlin Heidelberg, Berlin, Heidelberg (2003)

11. Fokkink, W., van Glabbeek, R., de Wind, P.: Compositionality of Hennessy–Milner logic by structuraloperational semantics. Theor. Comput. Sci. 354(3), 421–440 (2006). https://doi.org/10.1016/j.tcs.2005.11.035. http://www.sciencedirect.com/science/article/pii/S0304397505008819

12. Fokkink, W., van Glabbeek, R., de Wind, P.: Divide and congruence: from decomposition of modalitiesto preservation of branching bisimulation. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P.(eds.) Formal Methods for Components and Objects, pp. 195–218. Springer, Berlin Heidelberg, Berlin,Heidelberg (2006)

13. Graf, S., Sifakis, J.: A modal characterization of observational congruence on finite terms of CCS. In:Paredaens, J. (ed.) Automata, Languages and Programming, 11th Colloquium, Antwerp, Belgium, July16–20, 1984, Proceedings, Lecture Notes in Computer Science, vol. 172, pp. 222–234. Springer (1984).https://doi.org/10.1007/3-540-13345-3_20

14. Graf, S., Sifakis, J.: A logic for the description of non-deterministic programs and their properties. Inf.Control 68(1–3), 254–270 (1986). https://doi.org/10.1016/S0019-9958(86)80038-9

15. Graf, S., Sifakis, J.: A modal characterization of observational congruence on finite terms of CCS. Inf.Control 68(1–3), 125–145 (1986). https://doi.org/10.1016/S0019-9958(86)80031-6

16. Habib, M., Paul, C., Viennot, L.: Partition refinement techniques: an interesting algorithmic tool kit. Int.J. Found. Comput. Sci. 10(2), 147–170 (1999). https://doi.org/10.1142/S0129054199000125

17. Hennessy, M., Milner, R.: On observing nondeterminism and concurrency. In: de Bakker, J.W., vanLeeuwen, J. (eds.) Automata, Languages and Programming, 7th Colloquium, Noordweijkerhout, TheNetherlands, July 14–18, 1980, Proceedings, Lecture Notes in Computer Science, vol. 85, pp. 299–309.Springer (1980). https://doi.org/10.1007/3-540-10003-2_79

18. Hennessy, M., Milner, R.: Algebraic laws for nondeterminism and concurrency. J. ACM 32(1), 137–161(1985). https://doi.org/10.1145/2455.2460

19. Hopcroft, J.: An n log n algorithm for minimizing states in a finite automaton. In: Theory of Machinesand Computations, pp. 189–196. Elsevier (1971). https://doi.org/10.1016/B978-0-12-417750-5.50022-1. http://www.sciencedirect.com/science/article/pii/B9780124177505500221

20. Jancar, P., Kucera, A., Mayr, R.: Deciding bisimulation-like equivalences with finite-state processes. In:Larsen, K.G., Skyum, S., Winskel, G. (eds.) Automata, Languages and Programming, 25th InternationalColloquium, ICALP’98, Aalborg, Denmark, July 13–17, 1998, Proceedings, Lecture Notes in ComputerScience, vol. 1443, pp. 200–211. Springer (1998). https://doi.org/10.1007/BFb0055053

21. Kanellakis, P.C., Smolka, S.A.: CCS expressions, finite state processes, and three problems of equivalence.In: Probert, R.L., Lynch, N.A., Santoro, N. (eds.) Proceedings of the Second Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing, Montreal, Quebec, Canada, August 17–19,1983, pp. 228–240. ACM (1983). https://doi.org/10.1145/800221.806724

22. Kucera, A., Jancar, P.: Equivalence-checking on infinite-state systems: techniques and results. TPLP 6(3),227–264 (2006). https://doi.org/10.1017/S1471068406002651

123

Characteristic invariants in Hennessy–Milner logic 687

23. Kucera, A., Mayr, R.: On the complexity of semantic equivalences for pushdown automata and BPA.In: Diks, K., Rytter, W. (eds.) Mathematical Foundations of Computer Science 2002, 27th InternationalSymposium,MFCS 2002,Warsaw, Poland, August 26–30, 2002, Proceedings, LectureNotes in ComputerScience, vol. 2420, pp. 433–445. Springer (2002). https://doi.org/10.1007/3-540-45687-2_36

24. Kucera, A., Schnoebelen, P.: A general approach to comparing infinite-state systems with their finite-statespecifications. Theor. Comput. Sci. 358(2–3), 315–333 (2006). https://doi.org/10.1016/j.tcs.2006.01.021

25. Mayr, R.: Decidability of model checking with the temporal logic EF. Theor. Comput. Sci. 256(1), 31–62(2001). https://doi.org/10.1016/S0304-3975(00)00101-8. http://www.sciencedirect.com/science/article/pii/S0304397500001018. ISS

26. Milner, R.: A Calculus of Communicating Systems, Lecture Notes in Computer Science, vol. 92. Springer(1980). https://doi.org/10.1007/3-540-10235-3

27. Milner, R.: Communication and Concurrency. PHI Series in Computer Science. Prentice Hall, UpperSaddle River (1989)

28. Steffen, B.: Characteristic formulae. In: Ausiello, G., Dezani-Ciancaglini, M., Rocca, S.R.D. (eds.)Automata, Languages and Programming, 16th International Colloquium, ICALP89, Stresa, Italy, July11–15, 1989, Proceedings, Lecture Notes in Computer Science, vol. 372, pp. 723–732. Springer (1989).https://doi.org/10.1007/BFb0035794

29. Steffen, B., Claßen, A., Klein, M., Knoop, J., Margaria, T.: The fixpoint-analysis machine. In: Lee, I.,Smolka, S.A. (eds.) CONCUR ’95: Concurrency Theory, pp. 72–87. Springer, Berlin Heidelberg, Berlin,Heidelberg (1995)

30. Steffen, B., Ingólfsdóttir, A.: Characteristic formulas for processes with divergence. Inf. Comput. 110(1),149–163 (1994). https://doi.org/10.1006/inco.1994.1028

31. Steffen, B., Isberner,M., Jasper,M.: Playingwith abstraction and representation. In: Probst, C.W., Hankin,C., Hansen, R.R. (eds.) Semantics, Logics, and Calculi, pp. 191–213. Springer International Publishing(2016). https://doi.org/10.1007/978-3-319-27810-0_10

32. van Glabbeek, R.: A complete axiomatization for branching bisimulation congruence of finite-statebehaviours. In: Borzyszkowski, A.M., Sokołowski, S. (eds.) Mathematical Foundations of ComputerScience 1993, pp. 473–484. Springer, Berlin Heidelberg, Berlin, Heidelberg (1993)

33. van Glabbeek, R.: The linear time—branching time spectrum ii. In: Best, E. (ed.) CONCUR’93, pp.66–81. Springer, Berlin Heidelberg, Berlin, Heidelberg (1993)

34. van Glabbeek, R.: What is branching time semantics and why to use it? In: Nielsen, M. (ed.) The Con-currency Column, Bulletin of the EATCS 53, pp. 190–198 (1994)

35. van Glabbeek, R.: The linear time—branching time spectrum i. The semantics of concrete, sequen-tial processes. In: Bergstra, J., Ponse, A., Smolka, S. (eds.) Handbook of Process Algebra, pp. 3–99.Elsevier Science, Amsterdam (2001). https://doi.org/10.1016/B978-044482830-9/50019-9. http://www.sciencedirect.com/science/article/pii/B9780444828309500199

36. van Glabbeek, R.: A Characterisation of Weak Bisimulation Congruence, pp. 26–39. Springer BerlinHeidelberg, Berlin, Heidelberg (2005). https://doi.org/10.1007/11601548_4

37. van Glabbeek, R.: On cool congruence formats for weak bisimulations. Theor. Comput. Sci. 412(28),3283–3302 (2011). https://doi.org/10.1016/j.tcs.2011.02.036. http://www.sciencedirect.com/science/article/pii/S0304397511001605

38. van Glabbeek, R., Luttik, B., Trcka, N.: Branching bisimilarity with explicit divergence. FundamentaInformaticae 93(4), 371–392 (2009)

39. van Glabbeek, R., Smolka, S., Steffen, B.: Reactive, generative, and stratified models of probabilis-tic processes. Inf Comput 121(1), 59–80 (1995). https://doi.org/10.1006/inco.1995.1123. http://www.sciencedirect.com/science/article/pii/S0890540185711236

40. van Glabbeek, R., Weijland, W.P.: Branching time and abstraction in bisimulation semantics. J. ACM43(3), 555–600 (1996). https://doi.org/10.1145/233551.233556

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps andinstitutional affiliations.

123